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Living Security. 


Head of Research & Chief Security Officer, ERNW GmbH 

Recent Talks and Publications: 

■ “Hacking SecondLife”, Hack-in-the-Box, Dubai 2008 

■ “Reversing - A structured approach”, RSA, San Francisco 2008 

■ “Hacking Second Life”, Blackhat, Amsterdam, 2008 

■ “Hacking the Cisco NAC Framework”, Sector, Toronto, 2007 

■ “Hacking SecondLife”, Daycon, Dayton 2007 

■ “Hacking Cisco NAC”, Hack-in-the-Box, Kuala Lumpur, 2007 

■ “NAC@ACK”, Blackhat-USA, Las Vegas, 2007 

■ “NAC@ACK”, Blackhat-Europe, Amsterdam, 2007 

■ “Mehr IT-Sicherheits durch PenTests”, Book published by Vieweg 2005 

■ What I like to do 

■ Breaking things ;-) and all that hacker stuff 

■ Diving (you would be surprised what IT-Security lessons you can learn 
from diving) 

Contact Details: 

■ Email: mthumann@ernw.de / Web: http://www.ernw.de 







#whois ERNW GmbH 

■ Founded in 2001 

■ Based in Heidelberg, Germany (+ small office in Lisbon, PT) 

■ Network Consulting with a dedicated focus on InfoSec 

■ Current force level: 18 employees 

■ Key fields of activity: 

■ Audit/Penetration-Testing 

■ Risk-Evaluation & -Management, Security Management 

■ Security Research 

■ Our customers: banks, federal agencies, internet providers/ 
carriers, large enterprises 
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Agenda ^ Living Security. 

■ Part 1 - Introduction (very short) 

■ Why Reverse Engineering and why a structured approach 

■ Part 2 - Needed Know How 

■ All you need to know in order to do it :-) 

■ Part 3 - Tools of the Trade 

■ The Toolset - tools used at ERNW 

■ Part 4 - The structured Approach 

■ How to make life more easy 

■ Part 5 - Exercises 

■ Time to wake up guys 
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Reverse Engineering Ninjitsu 
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■ Not many people can do it 

■ Ninjas are invisible and can appear and 
disappear at any time 

■ Ninjas are all magicians ! 

■ Ninjas are the bad guys 

■ But many people would like to know all that 
magic 

■ You can’t learn it from books, because the 
magic is not in the books 
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Reverse Engineering Ninjitsu - 
demystified 
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■ It’s not magic 

■ It’s all about Knowledge 

■ It’s all about the right techniques 

■ It’s all about the right weapons 

■ And it’s all about the right combination 
of knowledge, techniques and weapons 





Reverse Engineering - Definition 


ERNW 



Living Security. 


■ is the process of discovering the technological principles 
of a device or object or system through the analysis of its 
structure and functions. It often involves taking something 
(mechanical device, electronic component, software 
program) apart and analyzing its workings in detail, 
usually to try to make a new device or program that does 
the same thing without copying anything from the original. 
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Why Reversing? 
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■ Because you need to know how the stuff is working 

■ Because Applications are very often distributed as 
binaries only 

■ Because a customer wants you to answer the question “Is 
this application secure?” 

■ Because finding security flaws is pretty cool and makes a 
good reputation for you and your company 

■ ... and there are much more reasons ;-) 
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Why structured 
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■ Because Reversing all stuff needs to much time 

■ Because time is money ;-) 

■ Because the customer doesn’t want to pay us for years to 
answer his question 

■ Because you won’t get a result when you get lost in tons 
of code 
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Part 2 - Needed Know How 
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Needed Know 
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■ Processor Architecture (RISC vs. CISC, Little vs. Big 
Endian and so forth) 

■ Assembler (there’s more than one dialect ;-) ) 

■ OS internals 

■ OS API 

■ Commonly used programming languages 

■ Debugging 

■ Tool usage 

■ ... and sometimes the ability to think in a way other people 
don’t 
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Part 3 - Tools of the Trade 






Needed Tools 


■ Disassembler 

■ Decompiler 

■ API Monitor 

■ Debugger 

■ Code Coverage Tools 

■ Sniffer 

■ Documentation © 

■ Your brain © 
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Commercial Must Have Tools 


ERNW 



Living Security. 


■ Disassembler: IDA Pro Advanced 

■ Decompiler: Hex-Rays (IDA Plugin) 

■ API Monitor: Autodebug Professional 
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IDA Pro 
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■ The famous and allmighty Disassembler 

■ Available for Windows, Linux and Mac OS X 

■ Commercial Product ($515 to $985) 

■ Debugger included that also supports debugging of PDAs 

■ Programmable and extensible (SDK included) 

■ Moved from Datarescue to Hex-Rays at the beginning of 
2008 

■ Further Information at www.hex-rays.com 
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Hex-Rays Decompiler 
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■ First Decompiler that produces more than crap 
- Build by llfak Guilfanov (think IDAPro ©) 

■ Released as commercial Addon for IDA (ca. $2,000) 

■ Planned: API to support Decompiler Plugins like 
Vulnerability Analyzer and others (First SDK Beta already 
released) 

■ Planned: Type and Function Prototype Recovery 

■ Planned: Assembler Knowledge not needed anymore 

■ Further Information at www.hex-rays.com 
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Autodebug API Monitor 
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■ Debugger and API Monitor 

■ Watch the function calls and see the parameters passed to 
the function 

■ Commercial Tool ($ 299 ) 

■ Remote Debugging using a debug agent 

■ Used in our Cisco NAC Research and saved so much time 

■ Further Information at www.autodebuq.com 



18 


April 21, 2008 


NAC 

@ACK 




Free Tools 
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■ Debugger: OllyDBG (www.ollydbg.de) 

■ Debugger: Immunity Debugger (www.immunitysec.com) 

■ Sniffer: Wireshark (www.wireshark.net) 

■ Decompiler: Boomerang (boomerang.sourceforge.net), 
free, but the output is more or less useless 

■ Code Coverage: PAIMEI (pedram.openrce.org/PAIMEI) 

■ Others: Log files ;-)) 
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More Commercial Tools 
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■ HBGary Inspector: Cool AllinOne Tool, but more pricy (7K 
Bucks), but also worth a look 

■ Zynamics BinNavi: Flowcharts and Code Coverage (about 
5k bucks) 
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Part 4 - The structured Approach 
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The ugly stuff -a structured approach 
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■ Step 1 : Define the question to answer 

■ Step 2: Understand the program flow 

■ Step 3: Identify interesting functions 

■ Step 4: Figure out the function prototype (used 
parameters) 

■ Step 5: Understand what the function is doing 

■ Step 6: Do runtime analysis to understand what the 
program is doing with input and output data 

■ Step 7: Use the gained knowledge to answer the question 
from Step 1 





Tools used for the different steps 
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■ Step 1: The Brain VI. 0 

■ Step 2: IDAPro 

■ Step 3: IDAPro 

■ Step 4: IDAPro / Hex-Rays 

■ Step 5: IDAPro / Hex-Rays 

■ Step 6: Autodebug / OllyDBG / Immunity Debugger 

■ Step 7: The Brain V2.0 





Time to wake 


• • 


W 


u 


Reversing by Michael Thumann 


4 / 21/08 24 




Step 1 : The question 
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Audit a piece of Software 

Do the developers follow the principles for secure coding? 
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Step 2: Program Flow - Flowchart 
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Step 2: Program Flow - From main 
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Step 2: Program Flow - ignore everything 
but user defined functions 
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*1 


Start address j. text: 00401 0B0 T| 

End address |. text: 00401 0B0 T] 


^Starting direction — 

W Cross references to 
w Cross references from 

Parameters — 


W Recursive 

w Follow only current direction 


Re cursion 

Ignore 
w Externals 
W Data 

W From library functions 
[✓To library functions 

F Print comments 
W Print recursion dots 


OK 


Cancel 


Help 
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Step 2: Program Flow - Uff © 
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sub_4 01030 

a 

s u b_4 0 1020 


s u b_4 0 10 0 0 


sub_4 01010 


s u b_4 0 1 04 0 





















Step 3: Interessting Functions - Here we 
are © 
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sub_4 01030 

a 

s u b_4 0 1020 


s u b_4 0 10 0 0 


sub_4 01010 


s u b_4 0 1 04 0 





















Step 4: Function Prototypes 
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sub_401000 proc near 


/ var_200= byte ptr -200h 

arg_0= dword ptr 4 

Internal variable Function argument 






Step 4: Function Prototypes 
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sub_401000 (arg_0); 
ar 9_0= dwoix^ptr 4 

Which type? Pointer or Integer? 

You have to look at the place where the function is called 
to find out what type is passed to the function 





Step 4: Function Prototypes 
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int stdcall recv(SOCKET s, char *buf, int len, int flags) 

extrn recuidword \ ; CODE XREF : _main+ 16 Ctp 


push 

push 

call 


call 


eax 
edx 
ebp : recu 




sub 401000 


Yuppieh, it‘s a Pointer to a buffer © 
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Step 4: Function Prototypes - Here we are 
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sub_401000 (char *arg_0); 
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Step 4: Function Prototypes - Or just 
press F5 and look at the decompiler 
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sub_401000(const char *a1) 

{ 

char v2; 


} 





Step 5: Understand what the function is 
doing - Example 1 
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dump proc near 

uar 200= byte ptr -200h 
buffer= dword ptr 4 


sub 

esp. 

200h 

or 

ecx , 

OFFFFFFFFh 

xor 

eax , 

eax 

lea 

edx , 

[esp+200h+uar_200] 

push 

esi 


push 

edi 


mou 

edi , 

[esp+208h+buf f er ] 

repne 

scasb 


not 

ecx 


sub 

edi , 

ecx 

mou 

eax , 

ecx 

mou 

esi. 

edi 

mou 

edi , 

edx 

shr 

ecx , 

2 

rep mousd 


mou 

ecx , 

eax 

xor 

eax , 

eax 

and 

ecx , 

3 

rep mousb 


lea 

edi , 

[esp+208h+uar 200] 

or 

ecx , 

OFFFFFFFFh 

repne 

scasb 



not ecx 

dec ecx 

push ecx 

push offset format ; "Len : %i\n" 
call printf 

lea ecx, [esp+21 0h+uar_200] 

push ecx 

push offset aRecuS ; "Recur %s\n" 

call printf 

add esp, 10h 

pop edi 

pop esi 

add esp, 200h 

retn 

dump endp 





Step 5: Understand what the function is 
doing - Example 1 (Decompiler) 
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int cdecl dunp(char ^buffer) 

< 

char u2 ; // [sp+8h] [bp-200h]@1 
strcpy(e,u2, buffer); 

printfC'Len : %i\n", strlen(&u2) - 1); 
return printf ("Recu : ^sXn", &u2); 





Step 5: Understand what the function is 
doing - Example 2 
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Don’t worry © 

I can’t read it too 
but it’s assembler 
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Step 5: Understand what the function is 
doing - Example 2 (Decompiler) 
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int cdecl main(int argc, const char **argu, const cha 

const char **u3; // ebx@1 
u_short u4; // di@2 
SOCKET u6 ; // esi@6 
SOCKET u7 ; // eax@6 
char *u8; // eax@7 
char *u9; // eax@10 
char *u10; // eax@13 
SOCKET oil; // edx@15 

struct USAData WSAData; ft [sp+20h] [bp-212Ch]@4 
struct sockaddr name; ft [sp+Ch] [bp-2140h]@9 
int addrlen; if [^p+1Ch] [bp-2130h]@15 
char buffer; // [sp+IBOh] [bp-lf 9Ch]@15 

u3 = argu; 

if ( *(argu + 1) ) 

u4 = atoi(*(argu + 1)); 
else 

u4 = 5432; 

if ( ?WSAStartup( 0x1 01u , RWSAData) ) 

< 

u7 = WSASocketA(2, 1, 6, 0, 0, 0); 

u6 = u7 ; 

if ( (signed int)u7 < 0 ) 

{ 

u8 = strerror(dword_4099C8) ; 

fprintf (&File, "^s: WSASocket - %s\n", *u3, u8); 
exit(1); 

> 


• ■ 
name .sa_f amily = 2; 

*( DWORD *)&name .sa_data[6] = 0; 

*(_DW0RD *)&name .sa_data[1 0] = 0; 

*(_DW0RD *)fcname .sa_data[2] = 0; 

*(_W0RD *)&name .sa_data[ 0] = htons(u4); 
if ( bind(u6, &name, 16) < 0 ) 

< 

u9 = strerror(dword_4099C8) ; 

fprintf (&File , "%s: bind - %s\n", *u3, u9); 

exit(1) ; 

> 

if ( listen(u6, 1) < 0 ) 

< 

ulO = strerror(dword_4099C8) ; 

fprintf (&File, "%s: listen - %s\n", *u3, ulO); 

exit(1 ) ; 

> 

while ( 1 ) 

{ 

addrlen = 16; 

oil = accept(u6, & ame, &addrlen); 

memsetf&buf f er , 0, 0x1F9Cu); 
recu(u11 f &buffer, 8092, 0); 
dump(&buf f er) ; 

> 

> 

return 0; 

> 





Step 6: Runtime Analysis 
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■ Instead of watching Stack variables in a standard 
debugger, a look at the function call would be much more 
easier 

■ Autodebug will help to do that, but first autodebug must 
know the function 
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Autodebug without Debug Symbols 
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■ Step 1 

■ Step 2 

■ Step 3 

■ Step 4 

■ Step 5 


Generate map file within IDAPro 

Run binary with autodebug 

Load Map File in autodebug 

Generate PDB Template (it’s a VS6 Project) 

Close autodebug 
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Autodebug without Debug Symbols 
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■ Step 6: Fill in the known function prototype (gained from 
IDAPro / Hex-Rays Analysis) into your PDB template 

■ Step 7: Compile 

■ Step 8: Use PDB File (Program Debug Database) with 
Autodebug (copy into pdbfiles directory) 

■ Step 9: Load Map File in autodebug 

■ Step 10: Select functions to monitor 

■ Step 11 : See which parameters are passed to the function 
and which values are returned 





d 


Auto Debug Professional V5.0 




Auto Debug Professional V5.0 


■ □ X 


File View Tool Help 


\£h M 1 1 1 x X | ^ f 



Ready 



Step 6: Runtime Analysis 
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■ Code Coverage Analyzer can help to determine which 
functions are called during runtime 

■ One of PAIMEIs functions is Code Coverage 

■ PAIMEI interacts with IDAPro and has a lot more 
functionality build in 

■ Code Coverage helps to focus on interessting functions 
that are called 

■ Find PAIMEI at paimei.openrce.org 





PAIM Eicon sole 


Connections Advanced Help 


777 


docs 


PAJIV explore 


0xFF 

PAW fHefuzz 


I 


Refresh Target List 


fc Available Targets 
■£] Example 


PIDA Modules 


PDA... 


Add Module(s) 


Data Exploration 


# 

| EIP 

1 TO 

| Module 

| Func? 

Tag 

267 

0042bf0f 

4772 

srv.exe 

Y 

Tagl 

268 

00439780 

4772 

srv.exe 

Y 

Tagl 

269 

00439a45 

4772 

srv.exe 

Y 

Tagl 

270 

00439a 72 

4772 

srv.exe 

Y 

Tagl 

271 

0042b4ab 

4772 

srv.exe 

Y 

Tagl 


Functions: 278 / 1557 


mm 


Basic Blocks: 1983 / 12360 


mm 


Data Capture 


Refresh Process List 


Dereferenced Data 


Tue 

EIP 

Oct 02 00:51:50 2007 
00439a45 

EAX 

00000000 ( 

0) -> 

EBX 

00000000 ( 

0) -> 

ECX 

00000000 ( 

0) -> 

EDX 

00000000 ( 

0) -> 

EDI 

00000000 ( 

0) -> 

ESI 

00000000 ( 

0) -> 

EBP 

00000000 ( 

0) -> 

ESP 

00000000 ( 

0) -> 

+04 

00000000 ( 

0) -> 

+08 

00000000 ( 

0) -> 

+0C 

00000000 ( 

0) -> 

+10 

00000000 ( 

0) -> 


r * 

debuqaer 

hit 

0042d6d0 

CC 

#248 


1” 

debugger 

hit 

0042b25 8 

cc 

#249 


1* 

debugger 

hi t 

0042d700 

CC 

#250 


1 = 

debugger 

hit 

0042b262 

cc 

#251 


f* 

debugger 

hit 

0042d7 30 

cc 

#252 


1” 

debugger 

hit 

0042b74e 

cc 

#253 


1” 

debugger 

hit 

0042dcl0 

cc 

#254 



debugger 

hi t 

0042C261 

cc 

#255 


1” 

debugger 

hit 

00431ef0 

cc 

#256 


1° 

debugger 

hi t 

00432160 

cc 

#257 


1” 

debugger 

hit 

0042b30C 

cc 

#258 



debugger 

hi t 

00434140 

cc 

#259 


1* 

debugger 

hit 

0042b5 a5 

cc 

#260 


1” 

debugger 

hit 

0043C640 

cc 

#261 


1* 

debugger 

hit 

0042bSll 

cc 

#262 


r* 

debugaer 

hit 

00470140 

cc 

#263 


1* 

debugger 

hi t 

0042b6c2 

cc 

#264 


1* 

debugger 

hit 

00439Se0 

cc 

#265 


r* 

debugger 

hit 

00439900 

cc 

#266 


1* 

debugger 

hit 

0042bf Of 

cc 

#267 


1" 

debugger 

hit 

00439780 

cc 

#268 


1* 

debugger 

hi t 

00439345 

cc 

#269 


1” 

debugger 

hit 

00439a72 

cc 

#270 


1” 

debugger 

hit 

0042b4ab 

cc 

#271 


1* 

debuqger 

hit 

00436410 

cc 

#272 


r* 

debugger 

hi t 

00436534 

cc 

#273 


1* 

debugger 

hi t 

00432280 

cc 

#274 


r * 

debugger 

hit 

0042b6e0 

c c 

#275 


1* 

debugger 

hi t 

00432370 

cc 

#276 


1” 

debugger 

hit 

0042b22b 

cc 

#277 


1” 

debugger 

hit 

00432320 

cc 

#278 


1” 

Exporting 278 hits to 

MySQL . 


1 = 

Resetting filter list 

and stalk 

tao. 

L* 

Resetting filter list 

and stalk 

tag. 


Function coverage at 0 %. Basic block coverage at 0%. 

Function coverage at 17%. Basic block coverage at 16%. 

Function coverage at 0%. Basic block coverage at 0%. 

Function coverage at 0%. Basic block coverage at 0%. 

Function coverage at 0%. Basic block coverage at 0%. 

Resetting filter list and stalk tag. 

Function coverage at 17%. Basic block coverage at 16%. 
Resetting filter list and stalk tag. 


PD 

| Process 

- 

2040 

smss.exe 


568 

csrss.exe 

- 

620 

winlogon.exe 


824 

services.exe 


836 

lsass.exe 


1156 

ibmpmsvc.exe 


1184 

ati2evxx.exe 


1204 

svchost.exe 


1296 

svchost.exe 


1664 

svchost.exe 


1736 

S24EvMon.exe 


1476 

svchost.exe 


1640 

svchost.exe 


740 

spoolsv.exe 


1044 

AcPrfMgrSvc.exe 


1212 

avmbtservice.exe 


1336 

panapp.exe 


1392 

avp.exe 


1412 

svchost.exe 


1524 

btwdins.exe 

▼ 


Load: | Z: \Workshops Reversing V )emo\c | | Browse 
Coverage Depth 
0 Functions 
O Basic Blocks 


HU Restore BPs □ Heavy 


0 Unhandled Only 


Start Stalking 


Successfully connected to uDraw(Graph) server at 127.0.0. 1. 


Process Stalker 




Step 7: Answer the question 


■ Ok, summary anyone? 

■ Is the program secure? 
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Final Conclusions 
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■ This approach works (at least for us © ) 

■ Can you answer every question? No you can’t (think of 
code obfuscation, anti RE functions and so forth where 
additional steps are needed) 

■ You don’t have to be an assembler guru to work with this 
approach, but don’t forget that you still need skilled 
people 

■ You still can improve for example code coverage with 
commercial tools 
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Thank’s for your patience 


Time left for 'questions & answers' ? 
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